Disable or Control certificate auto-import?

I'm working with an IIS 6.0 website running on Windows 2003 Server.
It's normally used as an internal website, but we now have a small group
of geographically disperse external users that require access. VPN isn't
practical in this situation, so I though I'd try SSL.

I first tried using SelfSSL and then Requiring SSL connections. The idea
being
that I could export the certificate, and then get both internal and external
users to
manually add the pfx file using the password I used during the certificate
creation.

This worked like I wanted until I realized users can "Continue to this
website
(not recommended) and get to the site anyway. Can the IIS configuration be
setup
to disable auto-import for browsers (which I doubt), or is there a way a
"server"
certifcate can force a password prompt during the auto-imported? For
example,
certifcates from a real CA have more capabilities?

I'm obviously new to this, and have also read about requiring client
certificates
in IIS, but don't really understand how they could be easily implemented in
our
environment.

Any suggestion?

TIA,
Don

Re: Disable or Control certificate auto-import?

Hi Don,

You can't use SelfSSL for client authentication. You can only use it on the
server itself. Certificates have their intended purposes (e.g. "Ensures the
identity of a remote computer" or "Proves your identity to a remote
computer"). First one is used on server for SSL, second one is used by
clients for certificate authentication.

If your clients are part of domain, you can install your own CA server and
deploy certificates to your users using Group Policies...

Here are some information how to deploy CA in your environment.

Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx

Cert templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx

Operations guide -
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx

Managing PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx

advanced certificate enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx

web enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/webenroll.mspx

--
Mike
Microsoft MVP - Windows Security

"Don Thimsen" wrote in message
news:%23zNrcWxHHHA.4056@TK2MSFTNGP03.phx.gbl...
> I'm working with an IIS 6.0 website running on Windows 2003 Server.
> It's normally used as an internal website, but we now have a small group
> of geographically disperse external users that require access. VPN isn't
> practical in this situation, so I though I'd try SSL.
>
> I first tried using SelfSSL and then Requiring SSL connections. The idea
> being
> that I could export the certificate, and then get both internal and
> external users to
> manually add the pfx file using the password I used during the certificate
> creation.
>
> This worked like I wanted until I realized users can "Continue to this
> website
> (not recommended) and get to the site anyway. Can the IIS configuration
> be setup
> to disable auto-import for browsers (which I doubt), or is there a way a
> "server"
> certifcate can force a password prompt during the auto-imported? For
> example,
> certifcates from a real CA have more capabilities?
>
> I'm obviously new to this, and have also read about requiring client
> certificates
> in IIS, but don't really understand how they could be easily implemented
> in our
> environment.
>
> Any suggestion?
>
> TIA,
> Don
>
>
>
>

Re: Disable or Control certificate auto-import?

Mike.

The MS Certificate Authority for the Client certficates was never an
option -
all the external users are outside our domain (and our control).

I finally decided to go with an external CA, and for our needs found that
CAcert
works fine. It took me most of the day to get everything setup correctly,
but the
website is now functional with a Server certificate and requires Client
certificates.
Both are provided by CAcert...

Thanks,
Don



"Miha Pihler [MVP]" wrote in message
news:%23HQdpH8HHHA.784@TK2MSFTNGP03.phx.gbl...
> Hi Don,
>
> You can't use SelfSSL for client authentication. You can only use it on
> the server itself. Certificates have their intended purposes (e.g.
> "Ensures the identity of a remote computer" or "Proves your identity to a
> remote computer"). First one is used on server for SSL, second one is used
> by clients for certificate authentication.
>
> If your clients are part of domain, you can install your own CA server and
> deploy certificates to your users using Group Policies...
>
> Here are some information how to deploy CA in your environment.
>
> Best Practices:
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>
> Cert templates -
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>
> Operations guide -
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>
> Managing PKI:
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>
> advanced certificate enrollment:
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>
> web enrollment:
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/webenroll.mspx
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Don Thimsen" wrote in message
> news:%23zNrcWxHHHA.4056@TK2MSFTNGP03.phx.gbl...
>> I'm working with an IIS 6.0 website running on Windows 2003 Server.
>> It's normally used as an internal website, but we now have a small group
>> of geographically disperse external users that require access. VPN isn't
>> practical in this situation, so I though I'd try SSL.
>>
>> I first tried using SelfSSL and then Requiring SSL connections. The idea
>> being
>> that I could export the certificate, and then get both internal and
>> external users to
>> manually add the pfx file using the password I used during the
>> certificate creation.
>>
>> This worked like I wanted until I realized users can "Continue to this
>> website
>> (not recommended) and get to the site anyway. Can the IIS configuration
>> be setup
>> to disable auto-import for browsers (which I doubt), or is there a way a
>> "server"
>> certifcate can force a password prompt during the auto-imported? For
>> example,
>> certifcates from a real CA have more capabilities?
>>
>> I'm obviously new to this, and have also read about requiring client
>> certificates
>> in IIS, but don't really understand how they could be easily implemented
>> in our
>> environment.
>>
>> Any suggestion?
>>
>> TIA,
>> Don
>>
>>
>>
>>
>
>